[question] what is the reason to manually list maven deps?

[sblantipodi]

I'm sorry if I quote you @guihkx but I would like to understand why Flathub is not considering that Java doesn't works that way.

what is the added value in manually adding the maven deps here? listing hundred of deps for a second time, outside of the pom.xml is considered better?

a GitHub CI can build your app with maven as it should be built, what is the added value here?

in that way you could even build your app with jpackage in order to use the exact runtime you need without the needs of the entire JDK and without the needs for a java runtime extension.

in addition, Java is interpreted language, you are not linking anything, building two times the same things brings no benefit.

I just want to understand what is the reasoning here because I feel that I'm missing something.

[guihkx]

By default, Flathub disables network support at build time (i.e. flatpak-builder --sandbox), so that's why you have to provide a list of all your dependencies beforehand, because Maven (or any other package manager, from any other programming language), won't be able to fetch dependencies by itself, since it's not allowed to go to the internet.

what is the added value in manually adding the maven deps here?

It helps ensure build reproducibility.

in that way you could even build your app with jpackage in order to use the exact runtime you need without the needs of the entire JDK and without the needs for a java runtime extension.

I'm not familiar with jpackage, but what you're describing seems to be possible on Flathub as well.

We rely on the OpenJDK 11 extension here for two main reasons: To build the app using the JDK, and to copy the Java runtime (JRE) afterwards so the app can run.

Using the OpenJDK extension from Flathub is recommended because it's also built from source against a Flatpak runtime, so it's guaranteed that the Java interpreter will work as intended, something we can't guarantee with a third-party Java build that we don't know how it was built.

in addition, Java is interpreted language, you are not linking anything, building two times the same things brings no benefit.

I think we're entering into a philosophical debate here, but I do personally consider build reproducibility to increase the trustworthiness of an app, and in my eyes, that's a huge benefit.